Dear ports@, updating graphics/djvulibre to 3.5.28 fixes the following bugs: CVE-2021-3630: out-of-bounds write CVE-2019-15143: infinite recoursion CVE-2019-15142: heap buffer over-read CVE-2019-18804: NULL pointer deref
I added more bug fixes that are not yet in a release. For testing I compiled graphics/djviewer and opened two old ebooks. I also make tested graphics/ImageMagick. mbuhl Index: graphics/djvulibre/Makefile =================================================================== RCS file: /cvs/ports/graphics/djvulibre/Makefile,v retrieving revision 1.45 diff -u -p -r1.45 Makefile --- graphics/djvulibre/Makefile 12 Jul 2019 20:46:57 -0000 1.45 +++ graphics/djvulibre/Makefile 16 Sep 2021 21:01:47 -0000 @@ -2,9 +2,8 @@ COMMENT= view, decode and encode DjVu files -DISTNAME= djvulibre-3.5.27 -REVISION= 6 -SHARED_LIBS= djvulibre 26.0 # 27.0 +DISTNAME= djvulibre-3.5.28 +SHARED_LIBS= djvulibre 27.0 # 28.0 CATEGORIES= graphics print HOMEPAGE= http://djvu.sourceforge.net/ Index: graphics/djvulibre/distinfo =================================================================== RCS file: /cvs/ports/graphics/djvulibre/distinfo,v retrieving revision 1.9 diff -u -p -r1.9 distinfo --- graphics/djvulibre/distinfo 12 May 2015 16:10:27 -0000 1.9 +++ graphics/djvulibre/distinfo 16 Sep 2021 21:01:47 -0000 @@ -1,2 +1,2 @@ -SHA256 (djvulibre-3.5.27.tar.gz) = 5pZoJSVlYDh1+4hQDN4Cv5PRLUijiE5HJpbIlugfUF8= -SIZE (djvulibre-3.5.27.tar.gz) = 3648522 +SHA256 (djvulibre-3.5.28.tar.gz) = /NAJ6nZU/eWoNgDrgHV706dpmOR9E8ZrVMjbhJ+PLtw= +SIZE (djvulibre-3.5.28.tar.gz) = 3701161 Index: graphics/djvulibre/patches/patch-configure_ac =================================================================== RCS file: /cvs/ports/graphics/djvulibre/patches/patch-configure_ac,v retrieving revision 1.2 diff -u -p -r1.2 patch-configure_ac --- graphics/djvulibre/patches/patch-configure_ac 12 May 2015 16:10:27 -0000 1.2 +++ graphics/djvulibre/patches/patch-configure_ac 16 Sep 2021 21:01:47 -0000 @@ -1,7 +1,8 @@ $OpenBSD: patch-configure_ac,v 1.2 2015/05/12 16:10:27 shadchin Exp $ ---- configure.ac.orig Sun Mar 29 10:30:55 2015 -+++ configure.ac Sun Mar 29 10:31:17 2015 -@@ -129,7 +129,6 @@ RM="$RM -f" +Index: configure.ac +--- configure.ac.orig ++++ configure.ac +@@ -131,7 +131,6 @@ RM="$RM -f" # Libtool & Compilers AC_PROG_CC AC_PROG_CXX Index: graphics/djvulibre/patches/patch-libdjvu_DataPool_cpp =================================================================== RCS file: graphics/djvulibre/patches/patch-libdjvu_DataPool_cpp diff -N graphics/djvulibre/patches/patch-libdjvu_DataPool_cpp --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ graphics/djvulibre/patches/patch-libdjvu_DataPool_cpp 16 Sep 2021 21:01:47 -0000 @@ -0,0 +1,18 @@ +$OpenBSD$ + +Fix CVE-2021-32492: Out-of-Bounds Read +https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 + +Index: libdjvu/DataPool.cpp +--- libdjvu/DataPool.cpp.orig ++++ libdjvu/DataPool.cpp +@@ -791,6 +791,9 @@ DataPool::create(const GP<DataPool> & pool, int start, + DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n"); + DEBUG_MAKE_INDENT(3); + ++ if (!pool) ++ G_THROW( ERR_MSG("DataPool.zero_DataPool") ); ++ + DataPool *xpool=new DataPool(); + GP<DataPool> retval=xpool; + xpool->init(); Index: graphics/djvulibre/patches/patch-libdjvu_DjVmDir_cpp =================================================================== RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVmDir_cpp diff -N graphics/djvulibre/patches/patch-libdjvu_DjVmDir_cpp --- graphics/djvulibre/patches/patch-libdjvu_DjVmDir_cpp 2 Mar 2016 20:10:36 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,94 +0,0 @@ -$OpenBSD: patch-libdjvu_DjVmDir_cpp,v 1.1 2016/03/02 20:10:36 juanfra Exp $ - -"accept documents with duplicate page titles" - -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/ -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1 - ---- libdjvu/DjVmDir.cpp.orig Tue Jul 8 23:15:07 2014 -+++ libdjvu/DjVmDir.cpp Wed Feb 3 01:51:28 2016 -@@ -223,7 +223,6 @@ DjVmDir::decode(const GP<ByteStream> &gstr) - page2file.resize(-1); - name2file.empty(); - id2file.empty(); -- title2file.empty(); - - int ver=str.read8(); - bool bundled=(ver & 0x80)!=0; -@@ -375,18 +374,6 @@ DjVmDir::decode(const GP<ByteStream> &gstr) - G_THROW( ERR_MSG("DjVmDir.dupl_id") "\t" + file->id); - id2file[file->id]=file; - } -- -- // Generate title2file map -- for(pos=files_list;pos;++pos) -- { -- GP<File> file=files_list[pos]; -- if (file->title.length()) -- { -- if (title2file.contains(file->title)) -- G_THROW( ERR_MSG("DjVmDir.dupl_title") "\t" + file->title); -- title2file[file->title]=file; -- } -- } - } - } - -@@ -556,11 +543,19 @@ DjVmDir::id_to_file(const GUTF8String &id) const - } - - GP<DjVmDir::File> --DjVmDir::title_to_file(const GUTF8String &title) const -+DjVmDir::title_to_file(const GUTF8String &title, GPosition spos) const - { -- GCriticalSectionLock lock((GCriticalSection *) &class_lock); -- GPosition pos; -- return (title2file.contains(title, pos))?title2file[pos]:(GP<DjVmDir::File>(0)); -+ if (! title) -+ return 0; -+ GCriticalSectionLock lock((GCriticalSection *) &class_lock); -+ if (! spos) -+ for (GPosition pos = spos; pos; ++pos) -+ if (files_list[pos]->is_page() && files_list[pos]->title == title) -+ return files_list[pos]; -+ for (GPosition pos = files_list; pos; ++pos) -+ if (files_list[pos]->is_page() && files_list[pos]->title == title) -+ return files_list[pos]; -+ return 0; - } - - GP<DjVmDir::File> -@@ -661,14 +656,7 @@ DjVmDir::insert_file(const GP<File> & file, int pos_nu - G_THROW( ERR_MSG("DjVmDir.dupl_name2") "\t" + file->name); - name2file[file->name]=file; - id2file[file->id]=file; -- if (file->title.length()) -- { -- if (title2file.contains(file->title)) -- // duplicate titles may become ok some day -- G_THROW( ERR_MSG("DjVmDir.dupl_title2") "\t" + file->title); -- title2file[file->title]=file; -- } -- -+ - // Make sure that there is no more than one file with shared annotations - if (file->is_shared_anno()) - { -@@ -727,7 +715,6 @@ DjVmDir::delete_file(const GUTF8String &id) - { - name2file.del(f->name); - id2file.del(f->id); -- title2file.del(f->title); - if (f->is_page()) - { - for(int page=0;page<page2file.size();page++) -@@ -788,9 +775,7 @@ DjVmDir::set_file_title(const GUTF8String &id, const G - if (!id2file.contains(id, pos)) - G_THROW( ERR_MSG("DjVmDir.no_info") "\t" + GUTF8String(id)); - GP<File> file=id2file[pos]; -- title2file.del(file->title); - file->title=title; -- title2file[title]=file; - } - - GPList<DjVmDir::File> Index: graphics/djvulibre/patches/patch-libdjvu_DjVmDir_h =================================================================== RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVmDir_h diff -N graphics/djvulibre/patches/patch-libdjvu_DjVmDir_h --- graphics/djvulibre/patches/patch-libdjvu_DjVmDir_h 2 Mar 2016 20:10:36 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,41 +0,0 @@ -$OpenBSD: patch-libdjvu_DjVmDir_h,v 1.1 2016/03/02 20:10:36 juanfra Exp $ - -"accept documents with duplicate page titles" - -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/ -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1 - ---- libdjvu/DjVmDir.h.orig Tue Jul 8 23:15:07 2014 -+++ libdjvu/DjVmDir.h Wed Feb 3 01:51:28 2016 -@@ -181,7 +181,8 @@ class DJVUAPI DjVmDir : public GPEnabled (public) - /** Translates file IDs to file records. */ - GP<File> id_to_file(const GUTF8String &id) const; - /** Translates file shortcuts to file records. */ -- GP<File> title_to_file(const GUTF8String &title) const; -+ GP<File> title_to_file(const GUTF8String &title, GPosition spos) const; -+ GP<File> title_to_file(const GUTF8String &title) const; - /** Access file record by position. */ - GP<File> pos_to_file(int fileno, int *ppageno=0) const; - /** Returns position of the file in the directory. */ -@@ -216,7 +217,6 @@ class DJVUAPI DjVmDir : public GPEnabled (public) - GPArray<File> page2file; - GPMap<GUTF8String, File> name2file; - GPMap<GUTF8String, File> id2file; -- GPMap<GUTF8String, File> title2file; - private: //dummy stuff - static void decode(ByteStream *); - static void encode(ByteStream *); -@@ -438,6 +438,13 @@ DjVmDir::is_indirect(void) const - GCriticalSectionLock lock((GCriticalSection *) &class_lock); - return ( files_list.size() && files_list[files_list] != 0 && - files_list[files_list]->offset==0 ); -+} -+ -+inline GP<DjVmDir::File> -+DjVmDir::title_to_file(const GUTF8String &title) const -+{ -+ GPosition pos; -+ return title_to_file(title, pos); - } - - Index: graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_cpp =================================================================== RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_cpp diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_cpp --- graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_cpp 2 Mar 2016 20:10:36 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,37 +0,0 @@ -$OpenBSD: patch-libdjvu_DjVuDocument_cpp,v 1.1 2016/03/02 20:10:36 juanfra Exp $ - -"accept documents with duplicate page titles" - -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/ -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1 - ---- libdjvu/DjVuDocument.cpp.orig Mon Sep 22 00:06:03 2014 -+++ libdjvu/DjVuDocument.cpp Wed Feb 3 01:51:28 2016 -@@ -805,11 +805,9 @@ DjVuDocument::id_to_url(const GUTF8String & id) const - { - GP<DjVmDir::File> file=djvm_dir->id_to_file(id); - if (!file) -- { - file=djvm_dir->name_to_file(id); -- if (!file) -- file=djvm_dir->title_to_file(id); -- } -+ if (!file) -+ file=djvm_dir->title_to_file(id); - if (file) - return GURL::UTF8(file->get_load_name(),init_url); - } -@@ -819,11 +817,9 @@ DjVuDocument::id_to_url(const GUTF8String & id) const - { - GP<DjVmDir::File> file=djvm_dir->id_to_file(id); - if (!file) -- { - file=djvm_dir->name_to_file(id); -- if (!file) -- file=djvm_dir->title_to_file(id); -- } -+ if (!file) -+ file=djvm_dir->title_to_file(id); - if (file) - return GURL::UTF8(file->get_load_name(),init_url.base()); - } Index: graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_h =================================================================== RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_h diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_h --- graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_h 2 Mar 2016 20:10:36 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,17 +0,0 @@ -$OpenBSD: patch-libdjvu_DjVuDocument_h,v 1.1 2016/03/02 20:10:36 juanfra Exp $ - -"accept documents with duplicate page titles" - -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/ -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1 - ---- libdjvu/DjVuDocument.h.orig Tue Jul 8 23:15:07 2014 -+++ libdjvu/DjVuDocument.h Wed Feb 3 01:51:28 2016 -@@ -524,7 +524,6 @@ class DJVUAPI DjVuDocument : public DjVuPort (public) - \begin{enumerate} - \item File ID from the \Ref{DjVmDir} - \item File name from the \Ref{DjVmDir} -- \item File title from the \Ref{DjVmDir} - \end{enumerate} - Then for #BUNDLED# document the URL is obtained by - appending the #name# of the found file to the document's Index: graphics/djvulibre/patches/patch-libdjvu_DjVuFile_cpp =================================================================== RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuFile_cpp diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuFile_cpp --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ graphics/djvulibre/patches/patch-libdjvu_DjVuFile_cpp 16 Sep 2021 21:01:47 -0000 @@ -0,0 +1,16 @@ +$OpenBSD$ + +https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 + +Index: libdjvu/DjVuFile.cpp +--- libdjvu/DjVuFile.cpp.orig ++++ libdjvu/DjVuFile.cpp +@@ -576,6 +576,8 @@ DjVuFile::process_incl_chunk(ByteStream & str, int fil + GURL incl_url=pcaster->id_to_url(this, incl_str); + if (incl_url.is_empty()) // Fallback. Should never be used. + incl_url=GURL::UTF8(incl_str,url.base()); ++ if (incl_url == url) // Infinite loop avoidance ++ G_THROW( ERR_MSG("DjVuFile.malformed") ); + + // Now see if there is already a file with this *name* created + { Index: graphics/djvulibre/patches/patch-libdjvu_DjVuMessageLite_h =================================================================== RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuMessageLite_h diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuMessageLite_h --- graphics/djvulibre/patches/patch-libdjvu_DjVuMessageLite_h 2 Mar 2016 20:10:36 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,20 +0,0 @@ -$OpenBSD: patch-libdjvu_DjVuMessageLite_h,v 1.1 2016/03/02 20:10:36 juanfra Exp $ - -"accept documents with duplicate page titles" - -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/ -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1 - ---- libdjvu/DjVuMessageLite.h.orig Tue Jul 8 23:15:07 2014 -+++ libdjvu/DjVuMessageLite.h Wed Feb 3 01:51:28 2016 -@@ -89,8 +89,8 @@ class ByteStream; - separator ::= newline | - newline | separator - -- single_message ::= message_ID | -- message_ID parameters -+ single_message ::= CTRLC message_ID | -+ CTRLC message_ID parameters - - parameters ::= tab string | - tab string parameters Index: graphics/djvulibre/patches/patch-libdjvu_DjVuPalette_cpp =================================================================== RCS file: /cvs/ports/graphics/djvulibre/patches/patch-libdjvu_DjVuPalette_cpp,v retrieving revision 1.1 diff -u -p -r1.1 patch-libdjvu_DjVuPalette_cpp --- graphics/djvulibre/patches/patch-libdjvu_DjVuPalette_cpp 20 Apr 2017 01:40:33 -0000 1.1 +++ graphics/djvulibre/patches/patch-libdjvu_DjVuPalette_cpp 16 Sep 2021 21:01:47 -0000 @@ -1,11 +1,12 @@ $OpenBSD: patch-libdjvu_DjVuPalette_cpp,v 1.1 2017/04/20 01:40:33 espie Exp $ ---- libdjvu/DjVuPalette.cpp.orig Thu Apr 20 03:30:12 2017 -+++ libdjvu/DjVuPalette.cpp Thu Apr 20 03:38:11 2017 -@@ -98,6 +98,7 @@ inline unsigned char +Index: libdjvu/DjVuPalette.cpp +--- libdjvu/DjVuPalette.cpp.orig ++++ libdjvu/DjVuPalette.cpp +@@ -99,6 +99,7 @@ inline unsigned char umin(unsigned char a, unsigned char b) { return (a>b) ? b : a; } +#define fmin myfmin inline float - fmin(float a, float b) + fmin(float a, float b) { return (a>b) ? b : a; } Index: graphics/djvulibre/patches/patch-libdjvu_DjVuPort_cpp =================================================================== RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuPort_cpp diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuPort_cpp --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ graphics/djvulibre/patches/patch-libdjvu_DjVuPort_cpp 16 Sep 2021 21:01:47 -0000 @@ -0,0 +1,28 @@ +$OpenBSD$ + +Fix CVE-2021-3500: Stack-Based Buffer Overflow +https://bugzilla.redhat.com/show_bug.cgi?id=1943411 + +Index: libdjvu/DjVuPort.cpp +--- libdjvu/DjVuPort.cpp.orig ++++ libdjvu/DjVuPort.cpp +@@ -507,10 +507,19 @@ GP<DjVuFile> + DjVuPortcaster::id_to_file(const DjVuPort * source, const GUTF8String &id) + { + GPList<DjVuPort> list; ++ ++ if (!!opening_id && opening_id == id) ++ G_THROW( ERR_MSG("DjVuPortcaster.recursive_open") ); ++ else ++ opening_id = id; ++ + compute_closure(source, list, true); + GP<DjVuFile> file; + for(GPosition pos=list;pos;++pos) + if ((file=list[pos]->id_to_file(source, id))) break; ++ ++ opening_id = GUTF8String(); ++ + return file; + } + Index: graphics/djvulibre/patches/patch-libdjvu_DjVuPort_h =================================================================== RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuPort_h diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuPort_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ graphics/djvulibre/patches/patch-libdjvu_DjVuPort_h 16 Sep 2021 21:01:47 -0000 @@ -0,0 +1,16 @@ +$OpenBSD$ + +Fix CVE-2021-3500: Stack-Based Buffer Overflow +https://bugzilla.redhat.com/show_bug.cgi?id=1943411 + +Index: libdjvu/DjVuPort.h +--- libdjvu/DjVuPort.h.orig ++++ libdjvu/DjVuPort.h +@@ -484,6 +484,7 @@ class DJVUAPI DjVuPortcaster (private) + const DjVuPort *dst, int distance); + void compute_closure(const DjVuPort *src, GPList<DjVuPort> &list, + bool sorted=false); ++ GUTF8String opening_id; + }; + + Index: graphics/djvulibre/patches/patch-libdjvu_GBitmap_cpp =================================================================== RCS file: graphics/djvulibre/patches/patch-libdjvu_GBitmap_cpp diff -N graphics/djvulibre/patches/patch-libdjvu_GBitmap_cpp --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ graphics/djvulibre/patches/patch-libdjvu_GBitmap_cpp 16 Sep 2021 21:01:47 -0000 @@ -0,0 +1,17 @@ +$OpenBSD$ + +Fix CVE-2021-32493: Integer Overflow Leading to Heap Buffer Overflow +https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 + +Index: libdjvu/GBitmap.cpp +--- libdjvu/GBitmap.cpp.orig ++++ libdjvu/GBitmap.cpp +@@ -1284,6 +1284,8 @@ GBitmap::decode(unsigned char *runs) + // initialize pixel array + if (nrows==0 || ncolumns==0) + G_THROW( ERR_MSG("GBitmap.not_init") ); ++ if (ncolumns + border != (unsigned short)(ncolumns+border)) ++ G_THROW("GBitmap: image size exceeds maximum (corrupted file?)"); + bytes_per_row = ncolumns + border; + if (runs==0) + G_THROW( ERR_MSG("GBitmap.null_arg") ); Index: graphics/djvulibre/patches/patch-libdjvu_IW44Image_cpp =================================================================== RCS file: graphics/djvulibre/patches/patch-libdjvu_IW44Image_cpp diff -N graphics/djvulibre/patches/patch-libdjvu_IW44Image_cpp --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ graphics/djvulibre/patches/patch-libdjvu_IW44Image_cpp 16 Sep 2021 21:01:47 -0000 @@ -0,0 +1,22 @@ +$OpenBSD$ + +Fix CVE-2021-32490: out of bounds write +https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 + +Index: libdjvu/IW44Image.cpp +--- libdjvu/IW44Image.cpp.orig ++++ libdjvu/IW44Image.cpp +@@ -676,9 +676,13 @@ IW44Image::Map::image(signed char *img8, int rowsize, + // Allocate reconstruction buffer + short *data16; + size_t sz = bw * bh; ++ if (sz == 0) ++ G_THROW("IW44Image: image size is zero (corrupted file?)"); + if (sz / (size_t)bw != (size_t)bh) // multiplication overflow + G_THROW("IW44Image: image size exceeds maximum (corrupted file?)"); + GPBuffer<short> gdata16(data16,sz); ++ if (data16 == 0) ++ G_THROW("IW44Image: unable to allocate image buffer"); + // Copy coefficients + int i; + short *p = data16; Index: graphics/djvulibre/patches/patch-libdjvu_miniexp_cpp =================================================================== RCS file: /cvs/ports/graphics/djvulibre/patches/patch-libdjvu_miniexp_cpp,v retrieving revision 1.2 diff -u -p -r1.2 patch-libdjvu_miniexp_cpp --- graphics/djvulibre/patches/patch-libdjvu_miniexp_cpp 12 May 2015 16:10:27 -0000 1.2 +++ graphics/djvulibre/patches/patch-libdjvu_miniexp_cpp 16 Sep 2021 21:01:47 -0000 @@ -1,7 +1,8 @@ $OpenBSD: patch-libdjvu_miniexp_cpp,v 1.2 2015/05/12 16:10:27 shadchin Exp $ ---- libdjvu/miniexp.cpp.orig Wed Feb 11 09:35:37 2015 -+++ libdjvu/miniexp.cpp Sat Mar 28 21:24:09 2015 -@@ -1241,7 +1241,7 @@ static int stdio_fputs(miniexp_io_t *io, const char *s +Index: libdjvu/miniexp.cpp +--- libdjvu/miniexp.cpp.orig ++++ libdjvu/miniexp.cpp +@@ -1300,7 +1300,7 @@ static int stdio_fputs(miniexp_io_t *io, const char *s static int true_stdio_fgetc(miniexp_io_t *io) { FILE *f = (io->data[0]) ? (FILE*)(io->data[0]) : stdin; Index: graphics/djvulibre/patches/patch-tools_ddjvu_cpp =================================================================== RCS file: graphics/djvulibre/patches/patch-tools_ddjvu_cpp diff -N graphics/djvulibre/patches/patch-tools_ddjvu_cpp --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ graphics/djvulibre/patches/patch-tools_ddjvu_cpp 16 Sep 2021 21:01:47 -0000 @@ -0,0 +1,22 @@ +$OpenBSD$ + +Fix CVE-2021-32491: Integer Overflow Leading to Heap-Based Buffer Overflow +https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 + +Index: tools/ddjvu.cpp +--- tools/ddjvu.cpp.orig ++++ tools/ddjvu.cpp +@@ -393,8 +393,11 @@ render(ddjvu_page_t *page, int pageno) + } else if (style == DDJVU_FORMAT_GREY8) + rowsize = rrect.w; + else +- rowsize = rrect.w * 3; +- if (! (image = (char*)malloc(rowsize * rrect.h))) ++ rowsize = rrect.w * 3; ++ size_t bufsize = (size_t)rowsize * rrect.h; ++ if (bufsize / rowsize != rrect.h) ++ die(i18n("Integer overflow when allocating image buffer for page %d"), pageno); ++ if (! (image = (char*)malloc(bufsize))) + die(i18n("Cannot allocate image buffer for page %d"), pageno); + + /* Render */ Index: graphics/djvulibre/patches/patch-tools_djvused_cpp =================================================================== RCS file: graphics/djvulibre/patches/patch-tools_djvused_cpp diff -N graphics/djvulibre/patches/patch-tools_djvused_cpp --- graphics/djvulibre/patches/patch-tools_djvused_cpp 2 Mar 2016 20:10:36 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,27 +0,0 @@ -$OpenBSD: patch-tools_djvused_cpp,v 1.1 2016/03/02 20:10:36 juanfra Exp $ - -"accept documents with duplicate page titles" - -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/ -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1 - ---- tools/djvused.cpp.orig Sun Feb 8 20:39:42 2015 -+++ tools/djvused.cpp Wed Feb 3 01:51:28 2016 -@@ -66,6 +66,7 @@ - #include "GString.h" - #include "DjVuDocEditor.h" - #include "DjVuDumpHelper.h" -+#include "DjVuMessageLite.h" - #include "BSByteStream.h" - #include "DjVuText.h" - #include "DjVuAnno.h" -@@ -2315,7 +2316,8 @@ execute() - G_CATCH(ex) - { - vprint("Error (%s): %s", -- (const char*)ToNative(token), ex.get_cause()); -+ (const char*)ToNative(token), -+ (const char *)DjVuMessageLite::LookUpUTF8(ex.get_cause())); - if (! verbose) - G_RETHROW; - } Index: graphics/djvulibre/pkg/PLIST =================================================================== RCS file: /cvs/ports/graphics/djvulibre/pkg/PLIST,v retrieving revision 1.10 diff -u -p -r1.10 PLIST --- graphics/djvulibre/pkg/PLIST 1 Jul 2018 18:33:36 -0000 1.10 +++ graphics/djvulibre/pkg/PLIST 16 Sep 2021 21:01:47 -0000 @@ -22,7 +22,7 @@ include/libdjvu/ include/libdjvu/ddjvuapi.h include/libdjvu/miniexp.h -lib/libdjvulibre.a +@static-lib lib/libdjvulibre.a lib/libdjvulibre.la @lib lib/libdjvulibre.so.${LIBdjvulibre_VERSION} lib/pkgconfig/ddjvuapi.pc @@ -72,20 +72,19 @@ share/djvu/pubtext/ share/djvu/pubtext/DjVuMessages.dtd share/djvu/pubtext/DjVuOCR.dtd share/djvu/pubtext/DjVuXML-s.dtd -share/icons/hicolor/128x128/mimetypes/djvu.png -share/icons/hicolor/16x16/mimetypes/djvu.png +share/icons/hicolor/128x128/mimetypes/image-vnd.djvu.png +share/icons/hicolor/16x16/mimetypes/image-vnd.djvu.png share/icons/hicolor/20x20/ share/icons/hicolor/20x20/mimetypes/ -share/icons/hicolor/20x20/mimetypes/djvu.png -share/icons/hicolor/22x22/mimetypes/djvu.png -share/icons/hicolor/24x24/mimetypes/djvu.png -share/icons/hicolor/256x256/mimetypes/djvu.png -share/icons/hicolor/32x32/mimetypes/djvu.png -share/icons/hicolor/48x48/mimetypes/djvu.png -share/icons/hicolor/64x64/mimetypes/djvu.png -share/icons/hicolor/72x72/mimetypes/djvu.png -share/icons/hicolor/96x96/mimetypes/djvu.png -share/icons/hicolor/scalable/mimetypes/djvu.svgz -share/mime/packages/djvulibre-mime.xml @tag gtk-update-icon-cache %D/share/icons/hicolor @tag update-mime-database +share/icons/hicolor/20x20/mimetypes/image-vnd.djvu.png +share/icons/hicolor/22x22/mimetypes/image-vnd.djvu.png +share/icons/hicolor/24x24/mimetypes/image-vnd.djvu.png +share/icons/hicolor/256x256/mimetypes/image-vnd.djvu.png +share/icons/hicolor/32x32/mimetypes/image-vnd.djvu.png +share/icons/hicolor/48x48/mimetypes/image-vnd.djvu.png +share/icons/hicolor/64x64/mimetypes/image-vnd.djvu.png +share/icons/hicolor/72x72/mimetypes/image-vnd.djvu.png +share/icons/hicolor/96x96/mimetypes/image-vnd.djvu.png +share/icons/hicolor/scalable/mimetypes/image-vnd.djvu.svgz
